Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - Email sender IP in TI list

Back
Id78979d32-e63f-4740-b206-cfb300c735e0
RulenameProofpointPOD - Email sender IP in TI list
DescriptionEmail sender IP in TI list.
SeverityMedium
TacticsExfiltration
InitialAccess
TechniquesT1078
T1567
Required data connectorsProofpointPOD
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderIPinTIList.yaml
Version1.1.1
Arm template78979d32-e63f-4740-b206-cfb300c735e0.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
          ProofpointPOD 
          | where TimeGenerated >= ago(dt_lookBack)
          | where isnotempty(SrcIpAddr)
          | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr
  )
on $left.TI_ipEntity == $right.ClientIP
| where ProofpointPOD_TimeGenerated < ExpirationDateTime
| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP
| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,
TI_ipEntity, ClientIP
| extend timestamp = ProofpointPOD_TimeGenerated
kind: Scheduled
description: |
    'Email sender IP in TI list.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderIPinTIList.yaml
version: 1.1.1
triggerThreshold: 0
queryPeriod: 14d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: SrcUserUpn
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address
requiredDataConnectors:
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_maillog_CL
triggerOperator: gt
id: 78979d32-e63f-4740-b206-cfb300c735e0
name: ProofpointPOD - Email sender IP in TI list
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
  | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
  | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true
  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  | join kind=innerunique (
            ProofpointPOD 
            | where TimeGenerated >= ago(dt_lookBack)
            | where isnotempty(SrcIpAddr)
            | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr
    )
  on $left.TI_ipEntity == $right.ClientIP
  | where ProofpointPOD_TimeGenerated < ExpirationDateTime
  | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP
  | project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,
  TI_ipEntity, ClientIP
  | extend timestamp = ProofpointPOD_TimeGenerated  
tactics:
- Exfiltration
- InitialAccess
queryFrequency: 1d
relevantTechniques:
- T1078
- T1567
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/78979d32-e63f-4740-b206-cfb300c735e0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/78979d32-e63f-4740-b206-cfb300c735e0')]",
      "properties": {
        "alertRuleTemplateName": "78979d32-e63f-4740-b206-cfb300c735e0",
        "customDetails": null,
        "description": "'Email sender IP in TI list.'\n",
        "displayName": "ProofpointPOD - Email sender IP in TI list",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SrcUserUpn",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderIPinTIList.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n          ProofpointPOD \n          | where TimeGenerated >= ago(dt_lookBack)\n          | where isnotempty(SrcIpAddr)\n          | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\n  )\non $left.TI_ipEntity == $right.ClientIP\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1567"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}